What is public isn’t safe

I spent part of my winter holidays in Andalucia. Granada, Malaga, Cadiz, Sevilla and Cordoba , then we went to Barcelona, truly a magnificent city, full of culture, life and history. Gaudi, Columbus, Gruell, La Rambla, the Gothic Quarter, these are just a few of the things which make Barcelona what it is.

We rented what Americans would call a ‘loft’ – a big living space without walls. In our case, it had simple yet cozy decoration, utilities, a TV and of course, a computer connected to the Internet for the guests to check their mail, running Windows XP Home edition.

Being an inquisitive type, the first thing for me to do on the loft computer was to run Regedit and look at some of the standard Run keys. Unsurprisingly, there were at least four entries there which looked suspicious, files such as “clock.exe” in the system32 directory being executed at startup and sure enough, Taskman showed them running in memory.

I quickly brought up the web browser and pointed it to a beta copy of the Kaspersky Online Scanner – a free, rich-featured web-based scanner using the standard KAV engine but which doesn’t require any special installation or purchase.

The scan results were impressive, or maybe a better word is scary – this single machine was running two popular worms – Mabutu.A and LovGate.AE, and no less than 15 different trojans and spying software. There were a couple of TrojanSpy binaries which are supposed to steal e-banking information, some which steal common website login/passwords and of course, some which record every keystroke and mail it to a certain address from time to time.

But not all the suspcious Run entries were detected. One of them came up clean, and that made me even more curious. The relevant software seemed to be a commercial application called “Kechua”. Poking a little bit at it with various tools showed me that it took a capture of the screen every 5 minutes, besides intercepting information entered via the keyboard. I found a subfolder in the “Kechua” installation directory with over 5000 capture files, dating almost 2 years back. Needless to say, lots of people over this time had checked mail, talked to the relatives back home on IM, browsed the web, and so on…

I temporarily deactivated this program, deleted the captures of me scanning the computer, called the owner and suggested he buys an antivirus. Then I turned the machine off and focused on the city and its inhabitants. My mail can wait. Public computers are simply too unsafe to use.

What is public isn’t safe

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox